cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF 2.4.0 SAML 2.0 support
Date Tue, 10 May 2011 14:40:19 GMT
Hi David,

> Question: Can CXF 2.4.0 currently support the wsse:Security header attached?

Yes, it should be able to both generate and process such a Security
header. The best way to find out is to try it, and then log a JIRA if
you run in to a problem. What are your requirements in general? What
sort of use-cases are you trying to support/implement?

> What areas are still under development?

The whole WS-Security* area is under fairly active development at the
moment, even though the functionality is relatively mature at this
stage. I'm doing a lot of work in the XML Security library (Apache
Santuario) that underpins the WS-Security implementation in CXF,
mainly based around performance and getting rid of some thread-safety
issues. I'm also working on improving WS-Trust and WS-SecurityPolicy
support in CXF. I plan to implement Kerberos Support some time in the
future.

Colm.

On Fri, May 6, 2011 at 6:37 PM, Morris Jr, David P
<david.p.morris.jr@lmco.com> wrote:
> I started researching the new CXF 2.4.0 interested primarily in the WSS4J and SAML 2.0
support. Eventually we would like to migrate from our custom implementation of Open SAML 2.0
with CXF's SAML 2.0 implementation. Updates to WS-* specifications will be handled by CXF
and less code for us to maintain.
>
> Question: Can CXF 2.4.0 currently support the wsse:Security header attached? What areas
are still under development?
>
> Thanks in advance!
> ________________________________
>   <soap:Header>
>      <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>         <ds:Signature Id="Signature-8" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>            <ds:SignedInfo>
>               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>               <ds:Reference URI="#Timestamp-7">
>                  <ds:Transforms>
>                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                  </ds:Transforms>
>                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                  <ds:DigestValue>YtLledhlM4iksIPySqsaBvD+QC8=</ds:DigestValue>
>               </ds:Reference>
>            </ds:SignedInfo>
>            <ds:SignatureValue>MqJV0iG8UHD9U5iGRttnLw4J3sHgar7414w/d1JrG53TmmcHa7w1WWuQJvzmoUgHjfa1EHRtAh88
> c707mFXUeg==</ds:SignatureValue>
>            <ds:KeyInfo Id="KeyId-AB6E726865A429836C130348036689911">
>               <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
>                  <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_6d2de2bb7800cc05774aee8d177f3068</wsse:KeyIdentifier>
>               </wsse:SecurityTokenReference>
>            </ds:KeyInfo>
>         </ds:Signature>
>         <wsu:Timestamp wsu:Id="Timestamp-7" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>            <wsu:Created>2011-04-22T13:52:46.899Z</wsu:Created>
>            <wsu:Expires>2011-04-29T13:52:46.899Z</wsu:Expires>
>         </wsu:Timestamp>
>         <saml2:Assertion ID="_6d2de2bb7800cc05774aee8d177f3068" IssueInstant="2011-04-22T13:52:47.133Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>            <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=LMCA,
OU=LMSecurity, O=LMNetworks, L=Windsor Mill, ST=Maryland, C=US</saml2:Issuer>
>            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>               <ds:SignedInfo>
>                  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                  <ds:Reference URI="#_6d2de2bb7800cc05774aee8d177f3068">
>                     <ds:Transforms>
>                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                     </ds:Transforms>
>                     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                     <ds:DigestValue>y7rnOVmGNYoyzjHKeRNuNw/HnYc=</ds:DigestValue>
>                  </ds:Reference>
>               </ds:SignedInfo>
>               <ds:SignatureValue>EnU7dIXrkDNHPdiJFM8sT1PBSS9Qr68PRQU2iDRDx0l9q1bP7gJubPtTUC6V/PC00HVjjZEwxF/5CtVMiQpK8A==</ds:SignatureValue>
>               <ds:KeyInfo>
>                  <ds:KeyValue>
>                     <ds:RSAKeyValue>
>                        <ds:Modulus>hdL6O/WKqt5NDoOfYlmg6bOsKEB/WXCsSw3wuuRI6zUUlWn4/6BUA21p0D02qfV8M6FzXBInughy
> vwf8I/UAcQ==</ds:Modulus>
>                        <ds:Exponent>AQAB</ds:Exponent>
>                     </ds:RSAKeyValue>
>                  </ds:KeyValue>
>               </ds:KeyInfo>
>            </ds:Signature>
>            <saml2:Subject>
>               <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=LMCA,
OU=LMSecurity, O=LMNetworks, L=Windsor Mill, ST=Maryland, C=US</saml2:NameID>
>               <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
>                  <saml2:SubjectConfirmationData>
>                     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                        <ds:KeyValue>
>                           <ds:RSAKeyValue>
>                              <ds:Modulus>hdL6O/WKqt5NDoOfYlmg6bOsKEB/WXCsSw3wuuRI6zUUlWn4/6BUA21p0D02qfV8M6FzXBInughy
> vwf8I/UAcQ==</ds:Modulus>
>                              <ds:Exponent>AQAB</ds:Exponent>
>                           </ds:RSAKeyValue>
>                        </ds:KeyValue>
>                     </ds:KeyInfo>
>                  </saml2:SubjectConfirmationData>
>               </saml2:SubjectConfirmation>
>            </saml2:Subject>
>            <saml2:AuthnStatement AuthnInstant="2011-04-22T13:52:47.133Z" SessionIndex="_6d2de2bb7800cc05774aee8d177f3068">
>               <saml2:SubjectLocality Address="127.0.0.1" DNSName="localhost.domain.com"/>
>               <saml2:AuthnContext>
>                  <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</saml2:AuthnContextClassRef>
>               </saml2:AuthnContext>
>            </saml2:AuthnStatement>
>            <saml2:AttributeStatement>
>               <saml2:Attribute Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
>                  <saml2:AttributeValue>Steven Cason</saml2:AttributeValue>
>               </saml2:Attribute>
>               <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
>                  <saml2:AttributeValue>Lockheed Martin ONC-NHIN</saml2:AttributeValue>
>               </saml2:Attribute>
>               <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
>                  <saml2:AttributeValue>urn:oid:9.8.7.6</saml2:AttributeValue>
>               </saml2:Attribute>
>               <saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
>                  <saml2:AttributeValue>urn:oid:HIO1_signed</saml2:AttributeValue>
>               </saml2:Attribute>
>               <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
>                  <saml2:AttributeValue>
>                     <hl7:Role hl7:code="307969004" hl7:codeSystem="2.16.840.1.113883.6.96"
hl7:codeSystemName="SNOMED_CT" hl7:displayName="Public health officer" xsi:type="CE" xmlns:hl7="urn:hl7-org:v3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
>                  </saml2:AttributeValue>
>               </saml2:Attribute>
>               <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
>                  <saml2:AttributeValue>
>                     <hl7:PurposeOfUse hl7:code="PUBLICHEALTH" hl7:codeSystem="2.16.840.1.113883.3.18.7.1"
hl7:codeSystemName="nhin-purpose" hl7:displayName="Uses and disclosures for public health
activities." xsi:type="CE" xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
>                  </saml2:AttributeValue>
>               </saml2:Attribute>
>               <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
>                  <saml2:AttributeValue>6789^^^&amp;1.2.840.114350.1.13.9997.2.3412&amp;ISO</saml2:AttributeValue>
>               </saml2:Attribute>
>               <saml2:Attribute Name="urn:oasis:names:tc:xspa:2.0:subject:npi">
>                  <saml2:AttributeValue>1234567890</saml2:AttributeValue>
>               </saml2:Attribute>
>            </saml2:AttributeStatement>
>            <saml2:AuthzDecisionStatement Decision="Permit" Resource="https://ssa-l0035:8181/pd/PatientDiscoveryGatewayService">
>               <saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
>               <saml2:Evidence>
>                  <saml2:Assertion ID="_c02a5f8985141f6225763f7b5fc1bfc3"
IssueInstant="2011-04-22T13:52:47.133Z" Version="2.0">
>                     <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=LMCA,
OU=LMSecurity, O=LMNetworks, L=Windsor Mill, ST=Maryland, C=US</saml2:Issuer>
>                     <saml2:Conditions NotBefore="2011-04-22T13:52:47.133Z"
NotOnOrAfter="2011-04-29T13:52:47.133Z"/>
>                     <saml2:AttributeStatement>
>                        <saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
>                           <saml2:AttributeValue>urn:oid:1.2.3.4</saml2:AttributeValue>
>                        </saml2:Attribute>
>                        <saml2:Attribute Name="InstanceAccessConsentPolicy"
NameFormat="http://www.hhs.gov/healthit/nhin">
>                           <saml2:AttributeValue>urn:oid:1.2.3.4.123456789</saml2:AttributeValue>
>                        </saml2:Attribute>
>                     </saml2:AttributeStatement>
>                  </saml2:Assertion>
>               </saml2:Evidence>
>            </saml2:AuthzDecisionStatement>
>         </saml2:Assertion>
>      </wsse:Security>
>      <Action xmlns="http://www.w3.org/2005/08/addressing">urn:hl7-org:v3:PRPA_IN201305UV02:CrossGatewayPatientDiscovery</Action>
>      <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:38e27557-ae31-4afe-a2c8-cd334713cf7b</MessageID>
>      <To soap:mustUnderstand="true" xmlns="http://www.w3.org/2005/08/addressing">https://ssa-l0035:8181/pd/PatientDiscoveryGatewayService?wsdl</To>
>      <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
>         <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>      </ReplyTo>
>   </soap:Header>
>
>
>

Mime
View raw message